Skip to content

security-incident-mergeincidents.md

Latest commit

 

History

History
126 lines (96 loc) · 4.37 KB

security-incident-mergeincidents.md

File metadata and controls

126 lines (96 loc) · 4.37 KB
title incident: mergeIncidents
description Merge multiple incidents into a single incident.
author HarelDamti
ms.localizationpriority medium
ms.subservice security
doc_type apiPageType
ms.date 02/24/2026

incident: mergeIncidents

Namespace: microsoft.graph.security

[!INCLUDE beta-disclaimer]

Merge multiple incident resources into a single incident.

[!INCLUDE national-cloud-support]

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

[!INCLUDE permissions-table]

[!INCLUDE rbac-security-alerts-incidents-apis-write]

HTTP request

POST /security/incidents/mergeIncidents

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Request body

In the request body, provide a JSON object with the following parameters.

Parameter Type Description
incidentIds String collection Required. The IDs of the incidents to merge.
incidentComment String Optional. A comment to add to the merged incident.
mergeReasons microsoft.graph.security.correlationReason Optional. The correlation reasons for merging the incidents. This object is a flags enum that allows multiple values to be specified.

Response

If successful, this action returns a 200 OK response code and a microsoft.graph.security.mergeResponse object in the response body.

Examples

Example 1: Merge incidents

Request

The following example merges two incidents.

HTTP

POST https://graph.microsoft.com/beta/security/incidents/mergeIncidents
Content-Type: application/json

{
  "incidentIds": [
    "2972395",
    "2972396"
  ],
  "incidentComment": "Merging related incidents from the same campaign",
  "mergeReasons": "sameCampaign, sameActor"
}

C#

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Go

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Java

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

JavaScript

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PHP

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Python

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Response

The following example shows the response.

HTTP/1.1 200 OK
Content-type: application/json

{
  "targetIncidentId": "2972395"
}